Common Vulnerabilities and Exposures

Last updated

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. [1] The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. [2] The system was officially launched for the public in September 1999. [3]

Contents

The Security Content Automation Protocol uses CVE, and CVE IDs are listed on Mitre's system as well as in the US National Vulnerability Database. [4]

Background

A vulnerability is a computer-software system's weakness enabling unwarranted access. E.g. software processing credit-cards must not allow people to read the credit card numbers it processes, yet a nefarious party might use a vulnerability for reading credit card numbers. Considering a specific vulnerability in isolation is hard because there exist many pieces of software, oftentimes with many vulnerabilities and possibly of various types. CVE Identifiers assign each vulnerability a unique formal name, thus establishing a common-language.

CVE identifiers

MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"), but this practice was ended in 2005 [5] [6] and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g., a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry).

CVEs are assigned by a CVE Numbering Authority (CNA). [7] While some vendors acted as a CNA before, the name and designation was not created until February 1, 2005. [8] There are three primary types of CVE number assignments:

  1. The Mitre Corporation functions as Editor and Primary CNA
  2. Various CNAs assign CVE numbers for their own products (e.g., Microsoft, Oracle, HP, Red Hat)
  3. A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs

When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence can refer to the CVE number. Information on getting CVE identifiers for issues with open source projects is available from Red Hat [9] and GitHub. [10]

CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category, but custom-built software that is not distributed would generally not be given a CVE. Additionally services (e.g., a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g., an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distributed.

CVE data fields

The CVE database contains several fields:

Description

This is a standardized text description of the issue(s). One common entry is:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the number. So when a CNA requests a block of CVE numbers in advance (e.g., Red Hat currently requests CVEs in blocks of 500), the CVE number will be marked as reserved even though the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned, Mitre is made aware of it (i.e., the embargo passes and the issue is made public), and Mitre has researched the issue and written a description of it, entries will show up as "** RESERVED **".

Record Creation Date

This is the date the entry was created. For CVEs assigned directly by Mitre, this is the date Mitre created the CVE entry. For CVEs assigned by CNAs (e.g., Microsoft, Oracle, HP, Red Hat) this is also the date that was created by Mitre, not by the CNA. When a CNA requests a block of CVE numbers in advance (e.g., Red Hat currently requests CVEs in blocks of 500) the entry date that CVE is assigned to the CNA.

Obsolete fields

The following fields were previously used in CVE records, but are no longer used.

Changes to syntax

In order to support CVE ID's beyond CVE-YEAR-9999 (aka the 'CVE10k problem' [11] ) a change was made to the CVE syntax in 2014 and took effect on Jan 13, 2015. [12]

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

The variable-length arbitrary digits will begin at four fixed digits and expand with arbitrary digits only when needed in a calendar year; for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNN, and so on. This also means no changes will be needed to previously assigned CVE-IDs, which all include a minimum of four digits.

CVE SPLIT and MERGE

CVE attempts to assign one CVE per security issue; however, in many cases this would lead to an extremely large number of CVEs (e.g., where several dozen cross-site scripting vulnerabilities are found in a PHP application due to lack of use of htmlspecialchars() or the insecure creation of files in /tmp).

To deal with this, guidelines (subject to change) cover the splitting and merging of issues into distinct CVE numbers. As a general guideline, one should first consider issues to be merged, then issues should be split by the type of vulnerability (e.g., buffer overflow vs. stack overflow), then by the software version affected (e.g., if one issue affects version 1.3.4 through 2.5.4 and the other affects 1.3.4 through 2.5.8 they would be SPLIT) and then by the reporter of the issue (e.g., if Alice reports one issue and Bob reports another issue, the issues would be SPLIT into separate CVE numbers).

Another example is Alice reports a /tmp file creation vulnerability in version 1.2.3 and earlier of ExampleSoft web browser; in addition to this issue, several other /tmp file creation issues are found. In some cases this may be considered as two reporters (and thus SPLIT into two separate CVEs, or if Alice works for ExampleSoft and an ExampleSoft internal team finds the rest it may be MERGE'ed into a single CVE). Conversely, issues can be merged, such as if Bob finds 145 XSS vulnerabilities in ExamplePlugin for ExampleFrameWork regardless of the versions affected and so on, they may be merged into a single CVE. [13]

Search CVE identifiers

The Mitre CVE database can be searched at the CVE List Search, and the NVD CVE database can be searched at Search CVE and CCE Vulnerability Database.

CVE usage

CVE identifiers are intended for use with respect to identifying vulnerabilities:

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE's common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem. [14]

Users who have been assigned a CVE identifier for a vulnerability are encouraged to ensure that they place the identifier in any related security reports, web pages, emails, and so on.

CVE assignment issues

Per section 7 of the CNA Rules, a vendor which received a report about a security vulnerability has full discretion in regards to it. [15] This can lead to a conflict of interest as a vendor may attempt to leave flaws unpatched by denying a CVE assignment at first place – a decision which Mitre can't reverse. The "!CVE" (not CVE) project, announced in 2023, aims to collect vulnerabilities that are denied by vendors, so long as they are considered valid by a panel of experts from the project. [16]

CVE identifiers have been awarded for bogus issues and issues without security consequences. [17] In response, a number of open-source projects have themselves applied to become the CVE Numbering Authority (CNA) of their own project. [18]

See also

Related Research Articles

<span class="mw-page-title-main">Plone (software)</span> Content management system

Plone is a free and open source content management system (CMS) built on top of the Zope application server. Plone is positioned as an enterprise CMS and is commonly used for intranets and as part of the web presence of large organizations. High-profile public sector users include the U.S. Federal Bureau of Investigation, Brazilian Government, United Nations, City of Bern (Switzerland), New South Wales Government (Australia), and European Environment Agency. Plone's proponents cite its security track record and its accessibility as reasons to choose Plone.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

CNA may refer to:

A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API. An affected application can be exploited to gain unauthorized access to the file system.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP).

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

XZ Utils is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used. XZ Utils started as a Unix port of Igor Pavlov's LZMA-SDK that has been adapted to fit seamlessly into Unix environments and their usual structure and behavior.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

<span class="mw-page-title-main">American Fuzzy Lop (software)</span> Software fuzzer that employs genetic algorithms

American Fuzzy Lop (AFL), stylized in all lowercase as american fuzzy lop, is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it has detected dozens of significant software bugs in major free software projects, including X.Org Server, PHP, OpenSSL, pngcrush, bash, Firefox, BIND, Qt, and SQLite.

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

Simjacker is a cellular software exploit for SIM Cards discovered by AdaptiveMobile Security. 29 countries are vulnerable according to ZDNet. The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal, where it was used to track the location of mobile phone users without their knowledge.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

<span class="mw-page-title-main">John Jackson (hacker)</span> Security researcher

John Jackson also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

<span class="mw-page-title-main">Flarum</span> Internet forum software written primarily in PHP

Flarum is Internet forum software written primarily in PHP, and a combination of JavaScript and TypeScript for its user interface. It was created as part of a merger of two existing forum software, FluxBB and esoTalk, and their two main developers, Franz Liedke and Toby Zerner.

References

  1. Wu, Xiaoxue; Zheng, Wei; Chen, Xiang; Wang, Fang; Mu, Dejun (2020). "CVE-assisted large-scale security bug report dataset construction method". Journal of Systems and Software. 160: 110456. doi:10.1016/j.jss.2019.110456. S2CID   209056007.
  2. "CVE – Common Vulnerabilities and Exposures". Mitre Corporation. 3 July 2007. Retrieved 18 June 2009. CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
  3. "CVE - History". cve.mitre.org. Retrieved 25 March 2020.
  4. cve.mitre.org. CVE International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.
  5. "CVE - Frequently Asked Questions". cve.mitre.org. Retrieved 1 September 2021.
  6. Kouns, Jake (13 August 2009). "Reviewing(4) CVE". OSVDB: Everything is Vulnerable. Archived from the original on 1 September 2021. Retrieved 1 September 2021.
  7. "CVE - CVE Numbering Authorities". Mitre Corporation. 1 February 2015. Retrieved 5 March 2024.
  8. "CVE - CVE Blog "Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition?" (guest author)". cve.mitre.org. Retrieved 17 September 2021.
  9. "CVE OpenSource Request HOWTO". Red Hat Inc. 14 November 2016. Retrieved 29 May 2019. There are several ways to make a request depending on what your requirements are:
  10. "About GitHub Security Advisories". GitHub . Retrieved 23 December 2021. GitHub Security Advisories builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list
  11. Christey, Steven M. (12 January 2007). "CVE - The CVE-10K Problem". cve.mitre.org. The MITRE Corporation . Retrieved 25 November 2023.
  12. "CVE - CVE ID Syntax Change". cve.mitre.org. 13 September 2016.
  13. "CVE Abstraction Content Decisions: Rationale and Application (Archived)". The Mitre Corporation. 15 June 2005. Retrieved 6 January 2024.
  14. "CVE - About CVE". cve.mitre.org. Retrieved 28 July 2015.
  15. "CVE Numbering Authority Rules - Assignment Rules" (PDF). The MITRE Corporation. 1 February 2020. pp. 13–15. Retrieved 6 December 2023.
  16. Edge, Jake (5 December 2023). "Supplementing CVEs with !CVEs". lwn.net.
  17. Edge, Jake (13 September 2023). "The bogus CVE problem". lwn.net.
  18. "A turning point for CVE numbers". LWN.net. 14 February 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.